Your HR and Payroll compliance and policy solution! Comply with federal, state, and international laws, find answers to your most challenging questions, get timely updates with email alerts, and more with our suite of products.

June 17 — What happens when a peashooter is suddenly replaced by a cannon? That is the question
companies are asking about the huge fines that will become available under the European
Union's new landmark privacy law.

After the new General Data Protection Regulation (GDPR) takes effect in May 2018 all
of the privacy offices in the 28 EU countries will gain powers to levy multi-million
euro fines for serious privacy infringements.

U.S. companies should be prepared for possibility of huge fines from EU privacy regulators
even if the likelihood of them being assessed feels unlikely or remote, privacy attorneys
told Bloomberg BNA. The new privacy law also covers a broader scope of companies than
the old law making it even more important to understand the new sanctions regime,
they said.

The crucial issue for companies won't be about the levels of potential fines, but
how privacy regulators adapt to and exercise their new enforcement powers. For some
privacy regulators, the new level of sanctions available under the GDPR will bring
a dramatic change in enforcement culture, the attorneys said.

Julie Bossaert, a data protection and information security attorney with CMS DeBacker
in Brussels, said that “at the moment there is a high degree of variation” in the
powers of EU privacy regulators to sanction privacy breaches. Fines are “peanuts compared
to what they will be,” she said.

Millions, Even Billions of Dollar Fines Possible

Under the
GDPR, the maximum fines allowed will escalate to 20 million euros ($22.5 million) or
up to 4 percent of a company's global revenues, whichever is higher. The high level
fines are allowed for violations of data processing consent, individual privacy rights,
international data transfer rules and ignoring orders from privacy regulators.

To put the sanctions tied to worldwide revenue in context, 4 percent of Facebook Inc.'s
worldwide revenue would be approximately $500 million and 4 percent for Walmart Stores
Inc. would be over $19.5 billion.

For other lesser infringements, the GDPR will allow maximum fines of the higher of
10 million euros
($11.25 million) or 2 percent of global revenues. Infringements in this bracket include
failure to notify data security breaches, failure to implement preventative measures,
failure to correctly maintain records and breaches over the obtaining of consent for
the processing of children's data.

Massive New Powers for Some Regulators

How data privacy regulators acclimate to their new enforcement powers is uncertain.
Companies may have reason to worry.

Although the GDPR is a single law covering all of the 28 EU countries, enforcement
of the privacy rules will continue to take place at the individual country level.
National data protection authorities will be responsible for overseeing companies
that use personal data that have their “main establishment” in the country.

For many privacy regulators, the new sanctioning powers will be a massive leap.

Bulgaria's Commission for Personal Data Protection, for example, can levy a maximum
fine of about $57,500. Ireland's Office of the Data Protection Commissioner has no
power to impose fines, although it can refer enforcement actions to a court, which
may impose fines of up to 100,000 euros ($112,500).

Regulatory Muscle Flexing?

A concern for companies doing business in the EU is that the sudden increase in fining
power for privacy regulators may encourage some to flex their muscles and seek to
set a benchmark of tough enforcement.

Frédéric Louis, a data protection partner with WilmerHale in Brussels, warned of the
possibility of a rapid ratcheting up of fines.

Fines are “one easy metric for everyone to follow,” Louis said. “As soon as one breaks
ranks and imposes a big fine, immediately the others will want to” do the same.

CMS DeBacker's Bossaert said the new law will also in principle allow privacy regulators
to levy large fines at an earlier stage of enforcement proceedings.

Martin Fanning, an information technology, intellectual property and data protection
partner with Dentons in London, said the potential for high fines has turned data
protection into a “top-table board-level issue,” he said.

Likelihood of High Fines Uncertain

WilmerHale's Louis said companies looking to gauge whether privacy regulators will
pounce to levy fines may want to look to antitrust enforcement, where the number of
cases and levels of fines increased rapidly after the turn of the millennium.

In antitrust, the European Commission and the U.S. Department of Justice got into
an “arms race as to who was going to impose a bigger fine.” Similar behavior among
EU privacy regulators that “want to be taken seriously”
might “lead to very quick development of high fines,”
which would then become the norm, Louis said.

But other privacy analysts said it is more likely that EU privacy regulators will
adopt a more cautious approach in exercising their new fining authority.

Bossaert said high fines would be a last resort. “I do not see, for example, the Belgian
Privacy Commission imposing a fine of up to 4 percent” of a company's global revenues,
she said.

Alex Whalen, senior policy manager at DIGITALEUROPE, which represents information
technology and consumer electronics companies, said that there remains the possibility
that a particular national privacy regulator might try “to make a statement by going
after a company to make an example of them.”

However, DPAs would likely be aware that rapid recourse to high fines could deter
some companies from investing in the EU, Whalen said. “In general, we find most DPAs
to be quite reasonable,” he added.

According to Louis, however, Article 29 Working Party had “not been a force for restraint;
rather they have been a force for very strict enforcement of the rules,”
and this could indicate a willingness to opt quickly for tough sanctions.

Reach of Privacy Law Expands

The potential kinds of companies that may face privacy fines is expanded under the
new privacy regulation. Under the old law, only companies that actually controlled
the use of personal data were subject to sanctions. Under the new regulation, companies
that are engage in processing personal data, even though they aren't the ones that
initially collected or used the data, may also be subject to fines.

Deema Freij, senior vice president with Intralinks, a provider of secure cloud services
and thus a data processor, said that data processors are worried about the fines.

“This is the first time that processors have a direct compliance risk,” Freij said.
Companies engaged in data processing are going back to data controller companies and
asking to revisit contractual obligations, she said.

Little Fining Experience

High fines for privacy violations aren't completely new in the EU. The Dutch DPA,
in 2014 threatened Alphabet Inc.'s Google Inc. with daily fines up to a ceiling of
15 million euros for noncompliance with DPA orders (241 PRA, 12/16/14).

The Belgian Privacy Commission in 2015 referred Facebook Inc. to a Belgian court where
it received an order to stop tracking non-Facebook users or face a 250,000 euro
($282,171) penalty per day (217 PRA 217, 11/10/15).

Those fines, however, weren't actually enforced.

Even in EU countries where privacy regulators already have authority to impose relatively
high penalties, there is limited experience of applying high fines in practice.

In the U.K., for example, the Information Commissioner's Office has the power to issue
fines up to 500,000 pounds ($707,250), but the record U.K. fine so far—against Sony
in 2013—was only half that amount (136 PRA, 7/16/13).

Mary J. Hildebrand, founder and chair of the Privacy and Information Security Practice
at Lowenstein Sandler LLP, in Roseland, N.J., said “there's going to have to be significant
guidance in terms of how those fines are levied.”

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)